You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by CBy <to...@byrman.demon.nl> on 2009/11/25 09:43:27 UTC
Advise on configuring SSL
Hi,
In my current working environment, Tomcat 6.0.18 is behind Apache. I
don't know why they chose this setup, because Apache only acts as a
proxy, it doesn't host anything. I do have experience in setting up SSL
for stand-alone Tomcat, but have no experience with Apache whatsoever.
Since I do have administrative rights for Tomcat, but not for Apache, I
was thinking of letting Tomcat handle SSL. Is that sensible or is it
better to configure this with Apache in this case?
CBy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Advise on configuring SSL
Posted by Cyrille Le Clerc <cl...@xebia.fr>.
Hello CBy,
My preference to handle SSL at the Apache Httpd level is to insert
a header "x-forwarded-proto=http|https" in Apache with mod_header, to
transmit the request in clear http to tomcat and then to intercept
this "x-forwarded-proto" header in Tomcat with the RemoteIpValve.
This valve will be integrated in Tomcat's distribution in version
6.0.21 and is currently available on a Google Code Project (1).
Another solution is to introduce a second HTTP connector in Tomcat
with the attributes secure=true and scheme=https. Even if this
connector uses HTTP instead of HTTPS, the connector attributes will
set request.isSecure() to true and request.getScheme() to https.
I have written a very detailed document "Tomcat, SSL, secure
communications and X-Forwarded-Proto" (2) that explains solutions to
handle HTTPS at the Tomcat, Apache Httpd and Load Balancer layers. The
document is written in french but the google translation is quite good
(3).
Hope this helps,
Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr
http://blog.xebia.fr
(1) http://code.google.com/p/xebia-france/wiki/RemoteIpValve
(2) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/
(3) http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2F&sl=fr&tl=en
On Wed, Nov 25, 2009 at 9:43 AM, CBy <to...@byrman.demon.nl> wrote:
> Hi,
>
> In my current working environment, Tomcat 6.0.18 is behind Apache. I don't
> know why they chose this setup, because Apache only acts as a proxy, it
> doesn't host anything. I do have experience in setting up SSL for
> stand-alone Tomcat, but have no experience with Apache whatsoever. Since I
> do have administrative rights for Tomcat, but not for Apache, I was thinking
> of letting Tomcat handle SSL. Is that sensible or is it better to configure
> this with Apache in this case?
>
> CBy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Advise on configuring SSL
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 08:43, CBy wrote:
> Hi,
>
> In my current working environment, Tomcat 6.0.18 is behind Apache. I
> don't know why they chose this setup, because Apache only acts as a
> proxy, it doesn't host anything. I do have experience in setting up SSL
> for stand-alone Tomcat, but have no experience with Apache whatsoever.
> Since I do have administrative rights for Tomcat, but not for Apache, I
> was thinking of letting Tomcat handle SSL. Is that sensible or is it
> better to configure this with Apache in this case?
Neither setup is very complicated, and both are well documented on their
respective websites.
N.B. If you are using APR in Tomcat, SSL setup is slightly different.
Side note: If HTTPD isn't doing anything extra at all, there's not much
point in having it. It's just slowing your response times down -
there's plenty of regular discussion about this on the list, available
in the archives.
p
> CBy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org